jln@eecs.nwu.edu (John Norstad) (11/17/88)
Someone asked for a list of known Mac viruses and their resource identifications, so that users of Virus Detective could update the list of suspicious resources, and so that users of ResEdit would know what to look for. Here's what I know about Scores and two strains of nVIR: Scores infected system files: Type ID Size Files ---- ---- ----- ------------------------------ INIT 6 772 System, Note Pad File, Scrapbook File INIT 10 1020 System, Desktop, Scores INIT 17 480 System, Scrapbook File atpl 128 2410 System, Desktop, Scores DATA -4001 7026 System, Desktop, Scores Scores infected applications: Type ID Size ---- ---- ----- CODE n+1 7026 where n = the id of the first unused CODE resource. For example, if the application has CODE resources numbered 0,1,2,3,4,5, then n=6 and the viral CODE resource is numbered n+1=7. nVIR infected System file: Type ID Size A Size B ---- ---- ------- ------- INIT 32 366 416 nVIR 0 2 2 nVIR 1 378 428 nVIR 4 372 422 nVIR 5 8 8 nVIR 6 868 66 nVIR 7 1562 2106 nVIR infected application: Type ID Size A Size B ---- ---- ------- ------- CODE 256 372 422 nVIR 1 378 428 nVIR 2 8 8 nVIR 3 366 416 nVIR 6 868 66 nVIR 7 1562 2106 Unlike Scores, nVIR does not infect any files in the system folder other than the System file itself. The two columns "A" and "B" above are the sizes for what I call "nVIR strain A" and "nVIR strain B". Hope this helps. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu
jln@eecs.nwu.edu (John Norstad) (11/18/88)
I made a mistake in my "Viral Resources" posting. nVIR DOES infect system folder files other than the System file itself (e.g., Finder and DA Handler). I was thinking of the "first prong" of the attack, when an nVIR-infected application first infects a previously clean system. Finder and DA Handle get infected during the "second prong", when the infected system starts infecting other applications and things that look like applications like the Finder and DA Handler. Scores, by the way, also has this behaviour. Sorry for the confusion. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu
alexis@ccnysci.UUCP (Alexis Rosen) (11/18/88)
It should be noted that nVIR also patches some resources, not just adds some. I believe that it patches CODE 1 (or was it CODE 0? John?) /Alexis
MacUserLabs@cup.portal.com (Stephan - Somogyi) (11/20/88)
The affected CODE resource is 0. CODE 0 contains the jump table that gets patched so that the viral code gets executed before the application's code. Stephan <---------------------------------------------------------------> Stephan Somogyi Software Engineer MacUser Labs 950 Tower Lane, 18th Floor Foster City, CA 94404 ...sun!cup.portal.com!MacUserLabs or MacUserLabs@cup.portal.com BIX: mulabs CIS: 72511,16 MacNET: MULABS FAX: (415) 378-5675 The opinions expressed may or may not represent those of my employer